Mere days after the fitness-tracking app Moves assured users about their privacy after its acquisition by Facebook, the company has changed its privacy policy to allow itself to share data with third parties. TheWall Street Journalreported the changes late Monday, which were pushed as an app update to Moves users.

Moves uses a smartphone's accelerometer (or the M7 processor in the case of the iPhone 5S) to passively track a user's walking, cycling, running, or driving activity. Users can log other information like calorie counts or activities manually, and Moves integrates with a handful of other life-logging apps like Momento or OptimizeMe to create detailed timelines of where a person goes and how they get there—for instance, their trips to a local coffee shop.

Further Reading

Moves' privacy policy at the time it was acquired stated strictly that it did not share data with third parties, with three exceptions: sharing with the user's consent, sharing under legal obligations, and sharing if the business is acquired by a third party. Technically, Moves already had its users' permission under this privacy policy to share data with Facebook.

And yet the official Moves Twitter account tweeted following the acquisition that it would not "commingle" its data with Facebook's user data. Moves then changed its privacy policy to state that it would share not only user data but also personally identifying data with "affiliates… including but not limited to Facebook." To confuse things further, Facebook repeated the same line about how the two companies would not "commingle" user data to the Journal Monday.

The Facebook spokeswoman continued by saying that Facebook does plan to share the Moves data. Presumably, all of this means that Facebook will give Moves data to third parties like marketers and advertisers but will not bundle it themselves with Facebook's own data. However, Facebook's data on its users who use Moves is also for sale to the same marketers and advertisers. Many companies that collect this data are skilled at cross-referencing it themselves.

Further Reading

The change of privacy course is one that users dread, but rarely one that comes to pass so quickly and messily. Instagram left the matter of privacy alone when it was acquired, while WhatsApp took such a strong stance against ever collecting data, let alone sharing it with Facebook, that its founder reiterated in a second blog post for good measure.

Moves, by contrast, has found an innocent soundbite to repeat publicly that belies the fact of what is going on in the legal language of its privacy policy. More importantly, it belies the possibility of what can be done with its data by saying Facebook won't be the one doing what its users dread. Data brokers like Acxiom and Datalogix as well as credit agencies like Experian and TransUnion trade in consumer data, some of it bought from "third parties" like social media companies. In their databases, data brokers can "commingle" this information all they like, even partially or wholly undoing any anonymizing that has been done.

Moves provides an unusual kind of user data in that it tracks movement as well as health- and fitness-oriented information. Much in the way that the Nest thermostats and smoke detectors can get valuable information for Google—and by extension property insurance companies—data from Moves could easily catch the eye of insurers and lucrative businesses in the weight-loss or fitness industries. Soon, that data will be only a monetary exchange away.

Casey Johnston
Casey Johnston is the former Culture Editor at Ars Technica, and now does the occasional freelance story. She graduated from Columbia University with a degree in Applied Physics. Twitter@caseyjohnston

I guess this is exactly what Whatsapp acquisition is about. FB doesn't need to get access to the data, they just sell it.... neatly sorted by user id, with possibly an "added value", "premium" data set of all user ids, sold in a easy to access grid of linked ids.

I don't understand the desire to track every personal action throughout the day. An appointment calendar is one thing, but detailing your day to this degree is disconcerting to me. Perhaps it's for the health-minded, but at what point does this become obsessive self diagnostics?

It would be nice if Congress said enough is enough. Users should have a few basic rights when it comes to their privacy, including but not limited too:1) The right to request all personal data a company has on you2) The right to request all personal data said company has on you gets deleted. Entirely.3) The right to forbid a company from sharing your personal details.4) The right to be notified in advance (say 30 days) of a privacy update and to be able to petition those changes to the government to be sure they do not interfere with these four points.

Although I already knew about data sharing/selling and companies cross referencing various data feeds to make a picture of you was going on, it still gives me the willies whenever I read about it. It makes me want to go off-grid.

I don't understand the desire to track every personal action throughout the day. An appointment calendar is one thing, but detailing your day to this degree is disconcerting to me. Perhaps it's for the health-minded, but at what point does this become obsessive self diagnostics?

I find it even harder that you want such an application to have anything to do with social media or being online in any way. I could understand if this was an application that didn't connect anywhere or uploaded the data to anyone, but simply kept it on your phone, but even under the old terms you could still be inadvertently be providing evidence against yourself if you were ever accused of a crime and the application owners were legally compelled to turn over their data.

I wouldn't want anything tracking my every movement throughout a day for any reason.

It would be nice if Congress said enough is enough. Users should have a few basic rights when it comes to their privacy, including but not limited too:1) The right to request all personal data a company has on you2) The right to request all personal data said company has on you gets deleted. Entirely.3) The right to forbid a company from sharing your personal details.4) The right to be notified in advance (say 30 days) of a privacy update and to be able to petition those changes to the government to be sure they do not interfere with these four points.

You don't have the right to simultaneously use a service and not agree to whatever the conditions of the service are.

You're trading your shopping information to Safeway in exchange for a few bucks off your groceries. If you don't agree to this, you have the right to shop elsewhere, or the right to shop at Safeway but pay full price. Wanting "the right" to all of the above while paying the discount price is just wanting "the right" to have your cake while also having "the right" to eat it too.

A simple change in current law would address this to everyone's satisfaction, particularly companies like Facebook who claim that privacy is their number one priority. If you buy a paid app that changes their privacy policy after you've purchased it, you should have 90 days to return the product for a full refund. I don't think companies should be locked into one privacy policy for life, but I also don't think it's fair to consumers who make decisions based on privacy to have those decisions rendered moot by a unilateral change. Oh, and I think they should affirmatively notify all their customers of their right to a full refund.

For some of these products, having to change apps after you've used one for a long time can be very disruptive. Maybe vendors would think twice about these changes if they cost them money, and maybe consumers' pain over the change would be mitigated by a little cash from the vendor.

I don't understand the desire to track every personal action throughout the day. An appointment calendar is one thing, but detailing your day to this degree is disconcerting to me. Perhaps it's for the health-minded, but at what point does this become obsessive self diagnostics?

I find it even harder that you want such an application to have anything to do with social media or being online in any way. I could understand if this was an application that didn't connect anywhere or uploaded the data to anyone, but simply kept it on your phone, but even under the old terms you could still be inadvertently be providing evidence against yourself if you were ever accused of a crime and the application owners were legally compelled to turn over their data.

I wouldn't want anything tracking my every movement throughout a day for any reason.

A simple change in current law would address this to everyone's satisfaction, particularly companies like Facebook who claim that privacy is their number one priority. If you buy a paid app that changes their privacy policy after you've purchased it, you should have 90 days to return the product for a full refund. I don't think companies should be locked into one privacy policy for life, but I also don't think it's fair to consumers who make decisions based on privacy to have those decisions rendered moot by a unilateral change. Oh, and I think they should affirmatively notify all their customers of their right to a full refund.

For some of these products, having to change apps after you've used one for a long time can be very disruptive. Maybe vendors would think twice about these changes if they cost them money, and maybe consumers' pain over the change would be mitigated by a little cash from the vendor.

As a consumer I really like this idea. However no law like that will ever get written.

Kind of relieved that I wiped my account on the day of the acquisition. If I remember correctly, there's 30 day grace period before they wipe the backups. Wonder if they'll honor that promise, or if the prompt policy changes is a way to circumvent the original agreement.

I'm surprised someone doesn't have an app like this that puts the information on your own personal cloud?

Probably too expensive to compete with the ad-supported crap. Facebook needs to be able to put miracle diet pill or "low T" ads on every page you visit, and they can't know which are appropriate without a bunch of your personal health information. If you wear your fitness monitor to bed, you're liable to start seeing Viagra ads after a week without nookie.

I don't understand the desire to track every personal action throughout the day. An appointment calendar is one thing, but detailing your day to this degree is disconcerting to me. Perhaps it's for the health-minded, but at what point does this become obsessive self diagnostics?

I love to know how active I am in a given week. It motivates me to get out of the house more when I have ACTUAL DATA that says "you've been quite the couch potato this week" as opposed to thinking "well, I did hike last weekend and I biked, so I think I'm OK". I like being able to track a hike, compare it to my previous runs, and say "I went a little faster this time! Next time, I'll push even harder". I WANT to know how my miles I biked/walked/ran. It helps me set goals, for example, bike at least 500 miles this summer. To each their own.

I don't understand the desire to track every personal action throughout the day. An appointment calendar is one thing, but detailing your day to this degree is disconcerting to me. Perhaps it's for the health-minded, but at what point does this become obsessive self diagnostics?

I love to know how active I am in a given week. It motivates me to get out of the house more when I have ACTUAL DATA that says "you've been quite the couch potato this week" as opposed to thinking "well, I did hike last weekend and I biked, so I think I'm OK". I like being able to track a hike, compare it to my previous runs, and say "I went a little faster this time! Next time, I'll push even harder". I WANT to know how my miles I biked/walked/ran. It helps me set goals, for example, bike at least 500 miles this summer. To each their own.

I have absolutely no desire to share this with people.

This. When I started reading about what this app did, I was like "oh, that sounds awesome, I want to download it" and then I finished the article. =(

In addition to showing what you did, it shows what you didn't do. I'm a software developer, so my primary job has me sitting on my butt a lot. It's nice to have something that I can look at and realize how lazy I've been and motivate me to get out for some exercise.

I would pay more for apps from companies that wouldn't pimp me and my data out. Seems to me there is a huge market opportunity for apps that seriously protect your privacy, but is anyone making them?

The sad fact is that most people either don't know enough, or don't care enough, if a company keeps data on them and shares it with everyone.

Many companies have tried to charge small fees for services in lieu of ad-based or data-based income models, but they just generally don't do as well as the "free" services.

For example, App.net was supposed to be the future of social networking, where all the data is yours and no one shares it without your permission, and you pay for the privilege. While there are around 100,000 users, this pales in comparison to Facebook (although it may be higher than G+ *snicker*). The biggest problem is that if your friends aren't like-minded individuals, willing to pay for a service like that as well, you're going to be doing a whole lot of anti-social networking instead.

I'd much rather the large players like Google and Facebook start offering pay-for-service models, in addition to their current models, so you can still connect with friends and family on the most popular networks, but while paying a premium for the guarantee that your data won't be shared. So far, none of them are taking this tack, ostensibly because your data is far more valuable than your money.

It would be nice if Congress said enough is enough. Users should have a few basic rights when it comes to their privacy, including but not limited too:1) The right to request all personal data a company has on you2) The right to request all personal data said company has on you gets deleted. Entirely.3) The right to forbid a company from sharing your personal details.4) The right to be notified in advance (say 30 days) of a privacy update and to be able to petition those changes to the government to be sure they do not interfere with these four points.

So, pretty much what the EU does -- socialists. Why do you hate America? /s

Failbook acquires company, company changes data policy so that their data can be aggregated with existing Failbook data. This is in no way surprising, but is a good pointed for another app that can be deleted, never to be used again.

At what point will companies realise that an acquisition by Failbook is for a certain sub-set of users a line that they will not cross?

Unfortunately I suspect that dollar signs mask a lot of previous good intentions.